From owner-freebsd-security@FreeBSD.ORG  Sat Jan 10 18:49:24 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 20C7E16A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 10 Jan 2004 18:49:23 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4335D43D45
	for <freebsd-security@freebsd.org>;
	Sat, 10 Jan 2004 18:49:20 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i0B2llUd004130;
	Sat, 10 Jan 2004 21:47:47 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i0B2llgE004127;
	Sat, 10 Jan 2004 21:47:47 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sat, 10 Jan 2004 21:47:47 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: David Edwards <david@deassociates.com>
In-Reply-To: <000701c3d7c8$697a4e40$6400a8c0@winxp1700>
Message-ID: <Pine.NEB.3.96L.1040110214520.2696D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: Need some help on security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jan 2004 02:49:24 -0000


On Sat, 10 Jan 2004, David Edwards wrote:

> Anyway, on to the question, lastnight, the server stopped responding
> after someone tried to gain access to what looks to be web based
> printing. I am not familiar with any firewall/IDS solutions and have
> looked over Snort and IPFW today. I don't want to do IPFW because I
> don't want to recompile a kernel that works and potentially lose
> everything I have done so far. Here is a bit of the apache error_log
> which shows the issue i am refering to: 
> 
> [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not
> exist: /usr/home/dbcenter/public_html/NULL.printer
> [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not
> exist: /usr/local/apache/htdocs/NULL.printer

Well, these log entries are for attempted exploits of Microsoft's IIS, and
shouldn't be a problem.  The error messages can safely be ignored.

However, the "server stopped responding" bit doesn't sound good.  Was the
web server still running (i.e., Apache processes still present)?  What
does "ps -alx" show?  Were there any console messages regarding apache
stopping, or any error messages in the Apache log about it exiting or
changing states, as opposed to just file not found errors?

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research